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Abstract.  We  define  five  increasingly  comprehensive  classes  of  infinite- 
state  systems,  called  STS1-5,  whose  state  spaces  have  finitary  structure. 

For  four  of  these  classes,  we  provide  examples  from  hybrid  systems. 

STS1  These  are  the  systems  with  finite  bisimilarity  quotients.  They  can 
be  analyzed  symbolically  by  (1)  iterating  the  predecessor  and  boolean  op¬ 
erations  starting  from  a  finite  set  of  observable  state  sets,  and  (2)  termi¬ 
nating  when  no  new  state  sets  are  generated.  This  enables  model  checking 
of  the  ju-calculus. 

STS2  These  are  the  systems  with  finite  similarity  quotients.  They  can  be 
analyzed  symbolically  by  iterating  the  predecessor  and  positive  boolean 
operations.  This  enables  model  checking  of  the  existential  and  universal 
fragments  of  the  ^-calculus. 

STS3  These  are  the  systems  with  finite  trace-equivalence  quotients.  They 
can  be  analyzed  symbolically  by  iterating  the  predecessor  operation  and 
a  restricted  form  of  positive  boolean  operations  (intersection  is  restricted 
to  intersection  with  observables) .  This  enables  model  checking  of  linear 
temporal  logic. 

STS4  These  are  the  systems  with  finite  distance-equivalence  quotients 
(two  states  are  equivalent  if  for  every  distance  d ,  the  same  observables 
can  be  reached  in  d  transitions).  The  systems  in  this  class  can  be  ana¬ 
lyzed  symbolically  by  iterating  the  predecessor  operation  and  terminat¬ 
ing  when  no  new  state  sets  are  generated.  This  enables  model  checking  of 
the  existential  conjunction-free  and  universal  disjunction-free  fragments 
of  the  ^-calculus. 

STS5  These  are  the  systems  with  finite  bounded-reachability  quotients 
(two  states  are  equivalent  if  for  every  distance  d,  the  same  observables 
can  be  reached  in  d  or  fewer  transitions).  The  systems  in  this  class  can  be 
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analyzed  symbolically  by  iterating  the  predecessor  operation  and  termi¬ 
nating  when  no  new  states  are  encountered.  This  enables  model  checking 
of  reachability  properties. 


0  Introduction 

To  explore  the  state  space  of  an  infinite-state  transition  system,  it  is  often  con¬ 
venient  to  compute  on  a  data  type  called  “region,”  whose  members  represent 
(possibly  infinite)  sets  of  states.  Regions  might  be  implemented,  for  example,  as 
constraints  on  the  integers  or  reals.  We  say  that  a  transition  system  is  “sym¬ 
bolic”  if  it  comes  equipped  with  an  algebra  of  regions  which  permits  the  effective 
computation  of  certain  operations  on  regions.  For  model  checking,  we  are  par¬ 
ticularly  interested  in  boolean  operations  on  regions  as  well  as  the  predecessor 
operation,  which,  given  a  target  region,  computes  the  region  of  all  states  with 
successors  in  the  target  region.  While  a  region  algebra  supports  individual  op¬ 
erations  on  regions,  the  iteration  of  these  operations  may  generate  an  infinite 
number  of  distinct  regions.  In  this  paper,  we  study  restricted  classes  of  symbolic 
transition  systems  for  which  certain  forms  of  iteration,  if  terminated  after  a  finite 
number  of  operations,  still  yield  sufficient  information  for  checking  interesting, 
unbounded  temporal  properties  of  the  system. 


0.1  Symbolic  Transition  Systems 

Definition:  Symbolic  transition  system  A  symbolic  transition  system  S  = 
(Q,  S,  R,  r-n,  P)  consists  of  a  (possibly  infinite)  set  Q  of  states ,  a  (possibly  non- 
deterministic)  transition  function  6  :  Q  — >  2^  which  maps  each  state  to  a  set 
of  successor  states,  a  (possibly  infinite)  set  R  of  regions,  an  extension  function 
r-n :  R  2*3  which  maps  each  region  to  a  set  of  contained  states,  and  a  finite 
set  P  C  R  of  observables,  such  that  the  following  six  conditions  are  satisfied: 

1.  The  set  P  of  observables  covers  the  state  space  Q\  that  is,  U{rPn  I  P  G  P}  = 

Q. 

2.  For  each  region  a  G  R,  there  is  a  region  Pre(a)  G  R  such  that 

rPre(a)n  =  {.s  £  Q  |  (3 1  G  S(s):  t  G  cr)}; 

furthermore,  the  function  Pre :  R  — >  R  is  computable. 

3.  For  each  pair  a,  r  G  R  of  regions,  there  is  a  region  And(a,r)  G  R  such  that 
rAnd(a,  r)n  =  r(T~1  f~l  rrn;  furthermore,  the  function  And  :  R  x  R  R  is 
computable. 

4.  For  each  pair  a,  t  G  R  of  regions,  there  is  a  region  Diff(a,r)  G  R  such  that 
r Dijf(a,r)n  =  ra~'\rTn ;  furthermore,  the  function  Diff  :  R  x  R  — >  R  is 
computable. 

5.  All  emptiness  questions  about  regions  can  be  decided;  that  is,  there  is  a 
computable  function  Empty :  R  — ►  IB  such  that  Empty(a)  iff  ran  =  0. 
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6.  All  membership  questions  about  regions  can  be  decided;  that  is,  there  is 
a  computable  function  Member  :  Q  x  R  — ►  B  such  that  Member(s,a)  iff 
s  G  r(jn. 

The  tuple  IZs  =  (P,  Pre,  And ,  Diff ,  Empty)  is  called  the  region  algebra  of  S.  □ 

Remark:  Duality  We  take  an  existential  view  of  symbolic  transition  systems. 
The  dual,  universal  view  requires  (1)  f){rpn  I  p  G  P}  =  0,  (2-4)  closure  of  R 
under  computable  functions  Pre ,  And ,  and  Diff  such  that 

rPre(a)~'  =  {s  G  Q  \  (Vf  G  S(s) :  t  G  <r)}, 

r And(a,r)n  =  ran  U  rr’1,  and  rDiff(a,r)n  =  Q\rDiff(T,a)n ,  and  (5)  a  com¬ 
putable  function  Empty  for  deciding  all  universality  questions  about  regions 
(that  is,  Empty(a)  iff  ra~'  =  Q).  All  results  of  this  paper  have  an  alternative, 
dual  formulation.  □ 


0.2  Example:  Polyhedral  Hybrid  Automata 

A  polyhedral  hybrid  automaton  P[  of  dimension  m,  for  a  positive  integer  m, 

consists  of  the  following  components  [AHH96]: 

Continuous  variables  A  set  A  =  {aq, . .  „,im}  of  real- valued  variables.  We 
write  X  for  the  set  {aq, . . .  ,xm}  of  dotted  variables  (which  represent  first 
derivatives  during  continuous  change) ,  and  we  write  X1  for  the  set  {x[ , ,  x'm } 
of  primed  variables  (which  represent  values  at  the  conclusion  of  discrete 
change).  A  linear  constraint  over  X  is  an  expression  of  the  form  ko  ~ 
k\X\  +  ■  ■  ■  +  kmxm,  where  ~G  {<,<,=,>,>}  and  ko,  ■  ■  ■ ,  km  are  integer 
constants.  A  linear  predicate  over  X  is  a  boolean  combination  of  linear  con¬ 
straints  over  X.  Let  Lm  be  the  set  of  linear  predicates  over  A". 

Discrete  locations  A  finite  directed  multigraph  (V,E).  The  vertices  in  V  are 
called  locations;  the  edges  in  E  are  called  jumps. 

Invariant  and  flow  conditions  Two  vertex-labeling  functions  inv  and  flow. 
For  each  location  v  G  V,  the  invariant  condition  inv(v)  is  a  conjunction  of 
linear  constraints  over  X,  and  the  flow  condition  flow(v )  is  a  conjunction  of 
linear  constraints  over  X.  While  the  automaton  control  resides  in  location  v, 
the  variables  may  evolve  according  to  flow(v)  as  long  as  inv(v )  remains  true. 

Update  conditions  An  edge-labeling  functions  update.  For  each  jump  e  G  E, 
the  update  condition  update(e)  is  a  conjunction  of  linear  constraints  over 
X  U  A'.  The  predicate  update(e)  relates  the  possible  values  of  the  variables 
at  the  beginning  of  the  jump  (represented  by  X)  and  at  the  conclusion  of 
the  jump  (represented  by  A'). 

The  polyhedral  hybrid  automaton  H  is  a  rectangular  automaton  [HKPV98]  if 

— all  linear  constraints  that  occur  in  invariant  conditions  of  H  have  the 
form  x  ~  k,  for  x  G  A  and  k  G  Z; 
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— all  linear  constraints  that  occur  in  flow  conditions  of  H  have  the  form 
x  ~  k,  for  x  £  X  and  k  £  Z; 

— all  linear  constraints  that  occur  in  jump  conditions  of  H  have  the  form 
x  ~  k  or  x'  =  x  or  x'  ~  k,  for  x  £  X  and  k  £  Z; 

— if  e  is  a  jump  from  location  v  to  location  v' ,  and  update(e)  contains 
the  conjunct  x'  =  x,  then  both  flow(v)  and  flow(v')  contain  the  same 
constraints  on  x. 

The  rectangular  automaton  H  is  a  singular  automaton  if  each  flow  condition  of 
if  has  the  form  x\  =  k\  A  . . .  A  xm  =  km.  The  singular  automaton  H  is  a  timed 
automaton  [AD94]  if  each  flow  condition  of  H  has  the  form  x\  =  1 A . .  .Axm  =  1. 

The  polyhedral  hybrid  automaton  H  defines  the  symbolic  transition  system 
Sh  =  {Qh,  Sh,  Rh,  Ph)  with  the  following  components: 

—  Qh  =  V  x  Mm;  that  is,  every  state  (v,  x)  consists  of  a  location  v  (the  discrete 
component  of  the  state)  and  values  x  for  the  variables  in  X  (the  continuous 
component ) . 

—  (v',x')  £  6h(v,x)  if  either  (1)  there  is  a  jump  e  £  E  from  v  to  v1  such 
that  the  closed  predicate  update(e)[X,X'  :=  x, x']  is  true,  or  (2)  v'  =  v  and 
there  is  a  real  A  >  0  and  a  differentiable  function  /:  [0,zl]  — >  Mm  with  first 
derivative  /  such  that  /( 0)  =  x  and  f{A)  =  x',  and  for  all  reals  e  £  (0,il), 
the  closed  predicates  inv(v)[X  :=  /(e)]  and  flow(v)[X  :=  /(e)]  are  true.  In 
case  (2),  the  function  /  is  called  &  flow  function. 

—  Rh  =  V  x  Lm;  that  is,  every  region  (v,  <f>)  consists  of  a  location  v  (the  discrete 
component  of  the  region)  and  a  linear  predicate  <f>  over  X  (the  continuous 
component ) . 

—  r(v,(j>)nH  =  {(w,x)  |  x  £  Mm  and  (j>[ X  :=  x]  is  true};  that  is,  the  extension 
function  maps  the  continuous  component  <j>  of  a  region  to  the  values  for  the 
variables  in  X  which  satisfy  the  predicate  (p.  Consequently,  the  extension  of 
every  region  consists  of  a  location  and  a  polyhedral  subset  of  Hm. 

—  PH  =  V  x{truej ;  that  is,  only  the  discrete  component  of  a  state  is  observable. 

It  requires  some  work  to  see  that  Sh  is  indeed  a  symbolic  transition  system.  First, 
notice  that  the  linear  predicates  over  X  are  closed  under  all  boolean  operations, 
and  that  satisfiability  is  decidable  for  the  linear  predicates.  Second,  the  Pre 
operator  is  computable  on  Rh,  because  all  flow  functions  can  be  replaced  by 
straight  lines  [AHH96]. 


0.3  Background  Definitions 

The  symbolic  transition  systems  are  a  special  case  of  transition  systems.  A  tran¬ 
sition  system  S  =  (Q,S,-,r-n,P)  has  the  same  components  as  a  symbolic  tran¬ 
sition  system,  except  that  no  regions  are  specified  and  the  extension  function  is 
defined  only  for  the  observables  (that  is,  r-n:  P  — >  2^). 

State  equivalences  A  state  equivalence  =  is  a  family  of  relations  which  contains 
for  each  transition  system  S  an  equivalence  relation  =5  on  the  states  of  S. 
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The  =  equivalence  problem  for  a  class  C  of  transition  systems  asks,  given  two 
states  s  and  t  of  a  transition  system  S  from  the  class  C,  whether  s  =s  t.  The 
state  equivalence  =a  is  as  coarse  as  the  state  equivalence  =&  if  s  =f  t  implies 
s  =f  t  for  all  transition  systems  S.  The  equivalence  =a  is  coarser  than  =b 
if  =a  is  as  coarse  as  =&,  but  =&  is  not  as  coarse  as  =a.  Given  a  transition 
system  S  =  ( Q,S ,  and  a  state  equivalence  =  ,  the  quotient  system  is  the 

transition  system  S/&  =  (Q/^,6/^,-,r-~'/^,P)  with  the  following  components: 

— the  states  in  S/^  are  the  equivalence  classes  of  =5; 

— r  G  S/^(a)  if  there  is  a  state  s  G  a  and  a  state  ter  such  that  t  G  £(s); 

— a  G  if  there  is  a  state  s  G  a  such  that  s  G  rpn. 

The  quotient  construction  is  of  particular  interest  to  us  when  it  transforms  an 
infinite-state  system  S  into  a  finite-state  system  S/^. 

State  logics  A  state  logic  L  is  a  logic  whose  formulas  are  interpreted  over  the 
states  of  transition  systems;  that  is,  for  every  L-formula  p  and  every  transition 
system  S,  there  is  a  set  [<£]$  of  states  of  S  which  satisfy  p.  The  L  model¬ 
checking  problejn  for  a  class  C  of  transition  systems  asks,  given  an  L-formula  tp 
and  a  state  s  of  a  transition  system  S  from  the  class  C,  whether  s  G  [ipjs.  Two 
formulas  p  and  ip  of  state  logics  are  equivalent  if  =  [yi],s  for  all  transition 
systems  S.  The  state  logic  La  is  as  expressive  as  the  state  logic  Lb  if  for  every 
Lj-formula  tp,  there  is  an  L0-formula  tp  which  is  equivalent  to  tp.  The  logic  La  is 
more  expressive  than  Lj,  if  La  is  as  expressive  as  Lj,  but  Lb  is  not  as  expressive 
as  La.  Every  state  logic  L  induces  a  state  equivalence,  denoted  =l:  for  all  states 
s  and  t  of  a  transition  system  <S,  define  s  =f  t  if  for  all  L-formulas  tp,  we  have 
s  G  [</p]5  iff  t  G  [y?]<s.  The  state  logic  L  admits  abstraction  if  for  every  L-formula 
tp  and  every  transition  system  S,  we  have  =  U{cr  |  a  G  [vis/*  };  that  is, 
a  state  s  of  S  satisfies  an  L-formula  p  iff  the  =l  equivalence  class  of  s  satisfies 
p  in  the  quotient  system.  Consequently,  if  L  admits  abstraction,  then  every 
L  model-checking  question  on  a  transition  system  S  can  be  reduced  to  an  L 
model-checking  question  on  the  induced  quotient  system  S/^L.  Below,  we  shall 
repeatedly  prove  the  L  model-checking  problem  for  a  class  C  to  be  decidable  by 
observing  that  for  every  transition  system  S  from  C,  the  quotient  system  S/&L 
has  finitely  many  states  and  can  be  constructed  effectively. 

Symbolic  semi-algorithms  A  symbolic  semi- algorithm  takes  as  input  the  re¬ 
gion  algebra  IZs  =  {P,Pre,  And,  Diff ,  Empty)  of  a  symbolic  transition  system 
S  =  (Q,  S,  R,  r-n,  P),  and  generates  regions  in  R  using  the  operations  P,  Pre, 
And ,  Diff,  and  Empty.  Depending  on  the  input  S ,  a  symbolic  semi-algorithm 
on  S  may  or  may  not  terminate. 

0.4  Preview 

In  sections  1-5  of  this  paper,  we  shall  define  five  increasingly  comprehensive 
classes  of  symbolic  transition  systems.  In  each  case  i  G  {1, . . . ,  5},  we  will  proceed 
in  four  steps: 
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1  Definition:  Finite  characterization  We  give  a  state  equivalence  =,:  and 

define  the  class  STS(i)  to  contain  precisely  the  symbolic  transition  systems  S 
for  which  the  equivalence  relation  =f  has  finite  index  (i.e.,  there  are  finitely 
many  =f  equivalence  classes).  Each  state  equivalence  =,:  is  coarser  than  its 
predecessor  which  implies  that  STS(i  —  1)  C  STS(i)  for  i  G  {2, . . .  ,5}. 

2  Algorithmics:  Symbolic  state-space  exploration  We  give  a  symbolic 
semi-algorithm  that  terminates  precisely  on  the  symbolic  transition  systems  in 
the  class  STS(i).  This  provides  an  operational  characterization  of  the  class  STS(i) 
which  is  equivalent  to  the  denotational  definition  of  STS(i).  Termination  of  the 
semi-algorithm  is  proved  by  observing  that  if  given  the  region  algebra  of  a  sym¬ 
bolic  transition  system  S  as  input,  then  the  extensions  of  all  regions  generated 
by  the  semi-algorithm  are  =f  blocks  (i.e.,  unions  of  =f  equivalence  classes). 
If  S  is  in  the  class  STS(-i),  then  there  are  only  finitely  many  =f  blocks,  and 
the  semi-algorithm  terminates  upon  having  constructed  a  representation  of  the 
quotient  system  S/^r  The  semi- algorithm  can  therefore  be  used  to  decide  all  =, 
equivalence  questions  for  the  class  STS(i). 

3  Verification:  Decidable  properties  We  give  a  state  logic  Lt  which  admits 
abstraction  and  induces  the  state  equivalence  =,;.  Since  =,;  quotients  can  be 
constructed  effectively,  it  follows  that  the  L,;  model-checking  problem  for  the 
class  STS(-i)  is  decidable.  However,  model-checking  algorithms  which  rely  on 
the  explicit  construction  of  quotient  systems  are  usually  impractical.  Hence,  we 
also  give  a  symbolic  semi-algorithm  that  terminates  on  the  symbolic  transition 
systems  in  the  class  STS(-i)  and  directly  decides  all  Lt  model-checking  questions 
for  this  class. 

4  Example:  Hybrid  systems  The  interesting  members  of  the  class  STS(-i)  are 
those  with  infinitely  many  states.  In  four  out  of  the  five  cases,  following  [Hen96], 
we  provide  certain  kinds  of  polyhedral  hybrid  automata  as  examples. 

1  Class-1  Symbolic  Transition  Systems 

Class-1  systems  are  characterized  by  finite  bisimilarity  quotients.  The  region 
algebra  of  a  class- 1  system  has  a  finite  subalgebra  that  contains  the  observables 
and  is  closed  under  Pre,  And ,  and  Diff  operations.  This  enables  the  model 
checking  of  all  /(-calculus  properties.  Infinite-state  examples  of  class- 1  systems 
are  provided  by  the  singular  hybrid  automata. 

1.1  Finite  Characterization:  Bisimilarity 

Definition:  Bisimilarity  Let  S  =  (Q,  S,  •,  r-n,  P)  be  a  transition  system.  A 
binary  relation  X  on  the  state  space  Q  is  a  simulation  on  S  if  .s  A  t  implies  the 
following  two  conditions: 

1.  For  each  observable  p  G  P,  we  have  s  G  rpn  Iff  t  G  rpn. 

2.  For  each  state  s'  G  S(s),  there  is  a  state  t'  G  S(t)  such  that  s'  X  t' . 
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Symbolic  semi-algorithm  Closurel 

Input:  a  region  algebra  TZ  =  (P,  Pre ,  And ,  Diff ,  Em.pt.y). 

T0  :  =  P; 

for  i  =  0, 1, 2, . . .  do 

T;.+ 1  :=  T; 

U  {Pre (a )  \  a  £  P£) 

U  {And  (a,  t )  |  <r,  r  £  T;} 

U  {Diff  (a,  t)  |  <t,  t  £  P£) 
until  rP£+r  C  rT£T 

The  termination  test  rT,;+in  C  rP£n,  which  is  shorthand  for  {r<Tn  |  a  £  T£+i)  C 
{ran  |  cr  £  T£),  is  decided  as  follows:  for  each  region  a  g  P,:+i  check  that  there  is 
a  region  t  g  Ti  such  that  both  Empty  (Diff  (a,  r))  and  Empty  {Diff  (t,  a)). 


Fig.  1.  Partition  refinement 


Two  states  s,t  £  Q  are  bisitnilar ,  denoted  s  =f  t,  if  there  is  a  symmetric 
simulation  ^on5  such  that  s  ^  t.  The  state  equivalence  =i  is  called  bisimilarity. 

□ 

Definition:  Class  STS1  A  symbolic  transition  system  S  belongs  to  the  class 
STS1  if  the  bisimilarity  relation  =f  has  finite  index.  □ 

1.2  Symbolic  State-space  Exploration:  Partition  Refinement 

The  bisimilarity  relation  of  a  finite-state  system  can  be  computed  by  partition 
refinement  [KS90].  The  symbolic  semi-algorithm  Closurel  of  Figure  1  applies 
this  method  to  infinite-state  systems  [BFH90,Hen95].  Suppose  that  the  input 
given  to  Closurel  is  the  region  algebra  of  a  symbolic  transition  system  S  = 
(Q,  8,  R ,  r-n,  P).  Then  each  Tt,  for  i  >  0,  is  a  finite  set  of  regions;  that  is,  T,:  C  R. 
By  induction  it  is  easy  to  check  that  for  all  i  >  0,  the  extension  of  every  region 
in  T,j  is  a  =f  block.  Thus,  if  =f  has  finite  index,  then  Closurel  terminates. 
Conversely,  suppose  that  Closurel  terminates  with  rT,+r  C  rTin.  From  the 
definition  of  bisimilarity  it  follows  that  if  for  each  region  a  €  T,;,  we  have  s  £  r(T~1 
iff  t  £  rcr’1,  then  s  =f  t.  This  implies  that  =f  has  finite  index. 

Theorem  1A  For  all  symbolic  transition  systems  S,  the  symbolic  semi- algorithm 
Closurel  terminates  on  the  region  algebra  7 Zs  iff  S  belongs  to  the  class  STS1. 

Corollary  1A  The  =i  (bisimilarity)  equivalence  problem  is  decidable  for  the 
class  STS1  of  symbolic  transition  systems. 

1.3  Decidable  Properties:  Branching  Time 

Definition:  //.-calculus  The  formulas  of  the  ji-calculus  are  generated  by  the 
grammar 

<P  ■■=  p\p\x\p\Zip\p/\p\30p\VQip\  {/ix:  <p)  |  (vx\  (p), 
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for  constants  p  from  some  set  77,  and  variables  x  from  some  set  X.  Let  S  = 
be  a  transition  system  whose  observables  include  all  constants; 
that  is,  II  C  P.  Let  £  :  X  — ►  2®  be  a  mapping  from  the  variables  to  sets  of 
states.  We  write  £[x  p]  for  the  mapping  that  agrees  with  £  on  all  variables, 
except  that  x  £  A"  is  mapped  to  p  C  Q.  Given  S  and  £ ,  every  formula  p  of  the 
/(-calculus  defines  a  set  [(p],s,£  C  Q  of  states: 

Ms,e  =  rpn; 

%p]s,e  =  QW; 

[X]s  g  — 

Ifi { a) Vajs.fi  =  [<^i]<s,£  {n}  fah,#, 

I{v}0^l5.£  =  {s  £  Q  |  ({y}i  £  S(s):  t  £ 

1{^}x:  V]s,£  =  {y}{p  QQ\P  = 

If  we  restrict  ourselves  to  the  closed  formulas  of  the  /(-calculus,  then  we  obtain  a 
state  logic,  denoted  Lf:  the  state  s  G  Q  satisfies  the  Lf  -formula  p  if  s  G  [z?],s,£ 
for  any  variable  mapping  £;  that  is,  =  [<p],s,£  for  any  £.  □ 

Remark:  Duality  For  every  Lj -formula  ip,  the  dual  -formula  Tp  is  obtained 
by  replacing  the  constructors  p,  p,  V,  A,  MD,  I1-  and  v  by  p,  p,  A,  V,  VO,  30, 
v,  and  p,  respectively.  Then,  =  Q\[^]5.  It  follows  that  the  answer  of  the 
model-checking  question  for  a  state  s  G  Q  and  an  Lj  -formula  tp.  is  complementary 
to  the  answer  of  the  model-checking  question  for  s  and  the  dual  formula  Tp.  □ 

The  following  facts  about  the  /(-calculus  are  relevant  in  our  context  [AH98]. 
First,  Lj  admits  abstraction,  and  the  state  equivalence  induced  by  Lj  is  — l 
(bisinrilarity).  Second,  L j  is  very  expressive;  in  particular,  L j  is  more  expressive 
than  the  temporal  logics  Ctl*  and  Ctl,  which  also  induce  bisinrilarity.  Third, 
the  definition  of  Lj  naturally  suggests  a  model-checking  method  for  finite-state 
systems,  where  each  fixpoint  can  be  computed  by  successive  approximation.  The 
symbolic  semi-algorithm  ModelCheck  of  Figure  2  applies  this  method  to  infinite- 
state  systems. 

Suppose  that  the  input  given  to  ModelCheck  is  the  region  algebra  of  a  symbolic 
transition  system  S  =  (Q,  S,  R,  r-n,  P),  a  /(-calculus  formula  p,  and  any  mapping 
E  :  X  — >  2r  from  the  variables  to  sets  of  regions.  Then  for  each  recursive 
call  of  ModelCheck,  each  Ti:  for  i  >  0,  is  a  finite  set  of  regions  from  R,  and 
each  recursive  call  returns  a  finite  set  of  regions  from  R.  It  is  easy  to  check 
that  all  of  these  regions  are  also  generated  by  the  semi-algorithm  Closurel  on 
input  TZs-  Thus,  if  Closurel  terminates,  then  so  does  ModelCheck.  Furthermore, 
if  it  terminates,  then  ModelCheck  returns  a  set  [<p\e  C  R  of  regions  such  that 
U{r<rn  |  a  G  [ tp\E }  =  [pjs.e,  where  £(x)  =  U{r,Tn  I  a  e  E(x)}  for  all  x  G  X.  In 
particular,  if  tp  is  closed,  then  a  state  s  G  Q  satisfies  <p  iff  Member(s,a)  for  some 
region  a  G  [p\e- 

Theorem  IB.  For  all  symbolic  transition  systems  S  in  STS1  and  every  Lf- 
formula  p,  the  symbolic  semi- algorithm  ModelCheck  terminates  on  the  region 
algebra  TZs  and  the  input  formula  p. 


Symbolic  semi-algorithm  Model  Check 

Input:  a  region  algebra  1Z  =  (P,  P re,  And,  D iff ,  Em.pt y),  a  formula  ip  G 
Lf,  and  a  mapping  E  with  domain  X. 

Output:  [p]e  := 

it  p  =  p  then  return  { p }; 
if  ip  =  p  then  return  { Diff(q,p )  \  q  G  P}\ 
if  i p  =  (ipi  V  ip2)  then  return  [ipi]e  U  [ ip2]e\ 
if  ip  =  (ipi  A  ip 2)  then 

return  {And(a,r)  \  a  G  [ipi\e  and  r  G  [</52]b}; 
if  ip  =  30  V  then  return  { Pre(a )  \  a  G  [ip^e}', 
if  <p  =  VO  ^  then  return  P\\{Pre(a)  \  a  G  (-P\\[v,,]-b)}| 
if  ip  =  {p,x  \  ip1)  then 

To:=0; 

for  i  =  0,1,2,...  do 

Ti+ 1  := 

until  U{r<Tn  I  <T  e  0+1}  c  U{r^n  I  <T  e  Ti}-, 

return  Tp, 

if  ip  =  ( vx :  ip1)  then 

To  :=  P; 

for  i  =  0,1,2,...  do 

Ti+ 1  :=  VP%E[^Ti] 

until  U{r<Tn  I  G  Ti+i]  D  U{r^Tn  |  <T  G  T}; 

return  Ti. 


The  pairwise-difference  operation  T\\T'  between  two  finite  sets  T  and  T'  of  regions 
is  computed  inductively  as  follows: 

T\\0  =  T; 

T\\({t}uT')  =  {Diff(a,  t)  I  G  T}\\T' . 

The  termination  test  U{r<rn  |  a  G  T}  C  IJ{rc"1  |  a  G  T'}  is  decided  by  checking 
that  Empty  (a )  for  each  region  a  G  (T\\Tj. 


Fig.  2.  Model  checking 


Corollary  IB  The  Lj  model- checking  problem  is  decidable  for  the  class  STS1 
of  symbolic  transition  systems. 


1.4  Example:  Singular  Hybrid  Automata 

The  fundamental  theorem  of  timed  automata  [AD94]  shows  that  for  every  timed 
automaton,  the  (time-abstract)  bisinrilarity  relation  has  finite  index.  The  proof 
can  be  extended  to  the  singular  automata  [ACH+95].  It  follows  that  the  sym¬ 
bolic  semi-algorithm  ModelCheck,  which  has  been  implemented  for  polyhedral 
hybrid  automata  in  the  tool  HyTech  [HHWT95],  decides  all  hf  model-checking 
questions  for  singular  automata.  The  singular  automata  form  a  maximal  class 
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of  hybrid  automata  in  STS1.  This  is  because  there  is  a  2D  (two-dimensional) 
rectangular  automaton  whose  bisimilarity  relation  is  state  equality  [Hen95]. 

Theorem  1C  The  singular  automata  belong  to  the  class  STS1.  There  is  a  2D 
rectangular  automaton  that  does  not  belong  to  STS1. 

2  Class-2  Symbolic  Transition  Systems 

Class-2  systems  are  characterized  by  finite  similarity  quotients.  The  region  alge¬ 
bra  of  a  class-2  system  has  a  finite  subalgebra  that  contains  the  observables  and 
is  closed  under  Pre  and  And  operations.  This  enables  the  model  checking  of  all 
existential  and  universal  //-calculus  properties.  Infinite-state  examples  of  class-2 
systems  are  provided  by  the  2D  rectangular  hybrid  automata. 

2.1  Finite  Characterization:  Similarity 

Definition:  Similarity  Let  S  be  a  transition  system.  Two  states  s  and  t  of  S 
are  similar ,  denoted  s  =f  t,  if  there  is  a  simulation  ^on5  such  that  both  s  <t 
and  t  <  s.  The  state  equivalence  =o  is  called  similarity.  □ 

Definition:  Class  STS2  A  symbolic  transition  system  S  belongs  to  the  class 
STS2  if  the  similarity  relation  =f  has  finite  index.  □ 

Since  similarity  is  coarser  than  bisimilaritv  [vG90],  the  class  STS2  of  symbolic 
transition  systems  is  a  proper  extension  of  STS1. 

2.2  Symbolic  State-space  Exploration:  Intersection  Refinement 

The  symbolic  semi-algorithm  Closure2  of  Figure  3  is  an  abstract  version  of  the 
method  presented  in  [HHK95]  for  computing  the  similarity  relation  of  an  infinite- 
state  system.  Suppose  that  the  input  given  to  Closure2  is  the  region  algebra  of 
a  symbolic  transition  system  S  =  ( Q,S,R,r-n,P ).  Given  two  states  s,t  6  Q,  we 
sav  that  t  simulates  $  if  s  -A  t  for  some  simulation  ■<  on  S.  For  i  >  0  and  s  G  Q, 
define 

Simi(s)  =  P|{r<Tn  |  <7  £  T)  and  s  G  r<Tn}, 

where  the  set  T,:  of  regions  is  computed  by  Closure2.  By  induction  it  is  easy  to 
check  that  for  all  i  >  (bit  I.  simulates  s,  then  t  G  Simj(s).  Thus,  the  extension  of 
every  region  in  T)  is  a  =f  block,  and  if  =f  has  finite  index,  then  Closure2  termi¬ 
nates.  Conversely,  suppose  that  Closure2  terminates  with  rTi+in  C  rT,;n.  From 
the  definition  of  simulations  it  follows  that  if  t  G  Simi(s),  then  t  simulates  s. 
This  implies  that  =f  has  finite  index. 

Theorem  2A  For  all  symbolic  transition  systems  S,  the  symbolic  semi- algorithm 
Closure2  terminates  on  the  region  algebra  TZs  iff  S  belongs  to  the  class  STS2. 

Corollary  2A  The  =o  (similarity)  equivalence  problem  is  decidable  for  the  class 
STS2  of  symbolic  transition  systems. 


10 


Symbolic  semi-algorithm  Closure2 

Input:  a  region  algebra  7 Z  =  (P,  Pre ,  And ,  Oijf,  Em.pty). 

To  :=  P ; 

for  i  =  0, 1, 2, . . .  do 

T,;+i  :=  T; 

U  { Pre(a )  \  a  £  Ti } 

U  {And{a,r)  |  <r,  r  £  T;} 
until  rT;+r  C  rT;T 

The  termination  test  rT,:+in  C  rT’,:_1  is  decided  as  in  Figure  1. 


Fig.  3.  Intersection  refinement 


2.3  Decidable  Properties:  Negation-free  Branching  Time 

Definition:  Negation-free  //-calculus  The  negation-free  / i-calculus  consists 
of  the  //-calculus  formulas  that  are  generated  by  the  grammar 

P  ■■=  p\x\<p\/<p\<p/\cp\30<p\  (px :  (p)  |  (vx:  ip), 

for  constants  p  G  II  and  variables  x  G  X.  The  state  logic  Li “  consists  of  the 
closed  formulas  of  the  negation-free  //-calculus.  The  state  logic  Lif  consists  of 
the  duals  of  all  Lo -formulas.  □ 

The  following  facts  about  the  negation-free  //-calculus  and  its  dual  are  relevant 
in  our  context  [AH98].  First,  both  Lif  and  L%  admit  abstraction,  and  the  state 
equivalence  induced  by  both  Lif  and  Lif  is  =o  (similarity).  It  follows  that  the 
logic  Z/j  with  negation  is  more  expressive  than  either  Ltf  or  Lif.  Second,  the 
negation-free  logic  Lif  is  more  expressive  than  the  existential  fragments  of  C'tl* 
and  C'tl,  which  also  induce  similarity,  and  the  dual  logic  Lif  is  more  expressive 
than  the  universal  fragments  of  Ctl*  and  Ctl,  which  again  induce  similarity. 

If  we  apply  the  symbolic  semi-algorithm  ModelCheck  of  Figure  2  to  the  region 
algebra  of  a  symbolic  transition  system  S  and  an  input  formula  from  L%,  then 
the  cases  tp  =  p  and  <p  =  VO  p'  are  never  executed.  It  follows  that  all  regions 
which  are  generated  by  ModelCheck  are  also  generated  by  the  semi-algorithm 
Closure2  on  input  IZs .  Thus,  if  Closure2  terminates,  then  so  does  ModelCheck. 

Theorem  2B  For  all  symbolic  transition  systems  S  in  STS2  and  every  Llf- 
formula  ip,  the  symbolic  semi- algorithm  ModelCheck  terminates  on  the  region 
algebra  IZs  and  the  input  formula  p. 

Corollary  2B  The  Ltf  and  Lif  model-checking  problems  are  decidable  for  the 
class  STS2  of  symbolic  transition  systems. 
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2.4  Example:  2D  Rectangular  Hybrid  Automata 

For  every  2D  rectangular  automaton,  the  (time-abstract)  similarity  relation  has 
finite  index  [HHK95].  It  follows  that  the  symbolic  semi-algorithm  ModelCheck, 
as  implemented  in  HyTech,  decides  all  Lo  and  Fo  model-checking  questions  for 
2D  rectangular  automata.  The  2D  rectangular  automata  form  a  maximal  class  of 
hybrid  automata  in  STS2.  This  is  because  there  is  a  3D  rectangular  automaton 
whose  similarity  relation  is  state  equality  [HK96]. 

Theorem  2C  The  2D  rectangular  automata  belong  to  the  class  STS2.  There  is 
a  3D  rectangular  automaton  that  does  not  belong  to  STS2. 

3  Class-3  Symbolic  Transition  Systems 

Class-3  systems  are  characterized  by  finite  trace-equivalence  quotients.  The  re¬ 
gion  algebra  of  a  class-3  system  has  a  finite  subalgebra  that  contains  the  observ¬ 
ables  and  is  closed  under  Pre  operations  and  those  And  operations  for  which 
one  of  the  two  arguments  is  an  observable.  This  enables  the  model  checking 
of  all  linear  temporal  properties.  Infinite-state  examples  of  class-3  systems  are 
provided  by  the  rectangular  hybrid  automata. 


3.1  Finite  Characterization:  Traces 

Definition:  Trace  equivalence  Let  S  =  ( Q ,  6,  •,  r-n,  P)  be  a  transition  system. 
Given  a  state  .so  £  Q,  a  source-s o  trace  ir  of  S  is  a  finite  sequence  popi  . .  .pn  of 
observables  pi  €  P  such  that 


1.  s0  G  rPon; 

2.  for  all  0  <  i  <  n,  there  is  a  state  s,:+i  G  (£(s,;)  fl  rp,;+in). 

The  number  n  of  observables  (minus  1)  is  called  the  length  of  the  trace  7 r,  the 
final  state  sn  is  the  sink  of  ir,  and  the  final  observable  pn  is  the  target  of  tt.  Two 
states  s,t  G  Q  are  trace  equivalent ,  denoted  s  =f  t,  if  every  source-s  trace  of  S 
is  a  source-t  trace  of  S,  and  vice  versa.  The  state  equivalence  =3  is  called  trace 
equivalence.  □ 

Definition:  Class  STS3  A  symbolic  transition  system  S  belongs  to  the  class 
STS3  if  the  trace-equivalence  relation  =f  has  finite  index.  □ 

Since  trace  equivalence  is  coarser  than  similarity  [vG90],  the  class  STS3  of  sym¬ 
bolic  transition  systems  is  a  proper  extension  of  STS2. 


3.2  Symbolic  State-space  Exploration:  Observation  Refinement 

Trace  equivalence  can  be  characterized  operationally  by  the  symbolic  semi¬ 
algorithm  Closure3  of  Figure  4.  We  shall  show  that,  when  the  input  is  the  region 
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Symbolic  semi-algorithm  Closure3 

Input:  a  region  algebra  7 Z  =  (P,  Pre ,  And,  Diff ,  Em.pt.y). 

To  :=  P ; 

for  i  =  0,1,2,...  do 

T:+ 1  :=  T;. 

U  {Pre(a)  \  a  £  Ti } 

U  {And.  (a,  p)  \  a  £  Ti  and  p  £  P} 
until  rT;+r  C  rTT. 

The  termination  test  rTi+in  C  rT.p  is  decided  as  in  Figure  1. 


Fig.  4.  Observation  refinement 


algebra  of  a  symbolic  transition  system  S  =  (Q,  S,  R,  r-~\  P),  then  Closure3  ter¬ 
minates  iff  the  trace-equivalence  relation  =f  has  finite  index.  Furthermore,  upon 
termination,  s  =f  t  iff  for  each  region  a  GT.j,  we  have  s  £  ran  iff  t  £  r un . 

Theorem  3A  For  all  symbolic  transition  systems  S,  the  symbolic  semi-algorithm 
Closure3  terminates  on  the  region  algebra  7 Zs  iff  S  belongs  to  the  class  STS3. 

Proof  [HM99]  We  proceed  in  two  steps.  First,  we  show  that  Closure3  terminates 
on  the  region  algebra  IZs  iff  the  equivalence  relation  =f„  induced  by  the  linear¬ 
time  /t-calculus  (defined  below)  has  finite  index.  Second,  we  show  that  =£/< 
coincides  with  trace  equivalence.  The  proof  of  the  first  part  proceeds  as  usual.  It 
can  be  seen  by  induction  that  for  all  i  >  0,  the  extension  of  every  region  in  Tt,  as 
computed  by  Closure3,  is  a  =  f„  block.  Thus,  if  has  finite  index,  then  Closure3 
terminates.  Conversely,  suppose  that  Closure3  terminates  with  rTi+ff  C  rTff.  It 
can  be  shown  that  if  two  states  are  not  =f„  -equivalent,  then  there  is  a  region  in 
Tj  which  contains  one  state  but  not  the  other.  It  follows  that  if  for  each  region 
a  £  Tj,  we  have  s  £  ro~ 1  iff  t  £  r(jn,  then  s=f„t.  This  implies  that  =f„  has  finite 
index. 

For  the  second  part,  we  show  that  Lf{  is  as  expressive  as  the  logic  BBuchi,  whose 
formulas  are  the  existentially  interpreted  Biichi  automata,  and  that  3BiicHi  is 
as  expressive  as  L% .  This  result  is  implicit  in  a  proof  by  [EJS93].  By  induction  on 
the  structure  of  an  Tg -formula  ip,  we  can  construct  a  Biichi  automaton  B v  such 
that  for  all  transition  systems  S,  a  state  s  of  S  satisfies  ip  iff  for  some  infinite 
source-s  trace  of  S  is  accepted  by  B Conversely,  given  a  Biichi  automaton  B, 
we  can  construct  an  Tg -formula  which  is  equivalent  to  3B  [Dam94].  Since  the 
state  equivalence  induced  by  BBuchi  is  trace  equivalence,  it  follows  that  =L»  is 
also  trace  equivalence.  □ 

Corollary  3 A  The  =3  (trace)  equivalence  problem  is  decidable  for  the  class 
STS3  of  symbolic  transition  systems. 
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3.3  Decidable  Properties:  Linear  Time 

Definition:  Linear-time  /(-calculus  The  linear-time  / i-calculus  (also  called 
“L 1”  in  [EJS93])  consists  of  the  /t-calculus  formulas  that  are  generated  by  the 
grammar 


T  ■■=  p[*:\<pV<p\ph<p\30<p  \  (fix:  tp)  |  (vx:  tp), 

for  constants  p  €  77  and  variables  x  €  X.  The  state  logic  Lg  consists  of  the 
closed  formulas  of  the  linear-time  /i-calculus.  The  state  logic  Lg  consists  of  the 
duals  of  all  Lg-formulas.  □ 

The  following  facts  about  the  linear-time  //.-calculus  and  its  dual  are  relevant 
in  our  context  (cf.  the  second  part  of  the  proof  of  Theorem  3A).  First,  both 
Lg  and  Lg  admit  abstraction,  and  the  state  equivalence  induced  by  both  Lg 
and  Lg  is  =3  (trace  equivalence).  It  follows  that  the  logic  LP,  with  unrestricted 
conjunction  is  more  expressive  than  Lg,  and  Lg  is  more  expressive  than  Lg. 
Second,  the  logic  Lg  with  restricted  conjunction  is  more  expressive  than  the 
existential  interpretation  of  the  linear  temporal  logic  Ltl,  which  also  induces 
trace  equivalence.  For  example,  the  existential  Ltl  formula  3(pUq)  (“on  some 
trace,  p  until  q”)  is  equivalent  to  the  Lg -formula  (fix:  q  V  (pA30.r))  (notice 
that  one  argument  of  the  conjunction  is  a  constant).  The  dual  logic  Lg  is  more 
expressive  than  the  usual,  universal  interpretation  of  Ltl,  which  again  induces 
trace  equivalence.  For  example,  the  (universal)  Ltl  formula pWq  (“on  all  traces, 
either  p  forever,  or  p  until  q” )  is  equivalent  to  the  Lg-formula  (vx :  p  A  VO (</V;c)) 
(notice  that  one  argument  of  the  disjunction  is  a  constant). 

If  we  apply  the  symbolic  semi-algorithm  ModelCheck  of  Figure  2  to  the  region 
algebra  of  a  symbolic  transition  system  S  and  an  input  formula  from  Lg ,  then 
all  regions  which  are  generated  by  ModelCheck  are  also  generated  by  the  semi¬ 
algorithm  Closure3  on  input  TZs ■  Thus,  if  Closure3  terminates,  then  so  does  Mod¬ 
elCheck. 

Theorem  3B  For  all  symbolic  transition  systems  S  in  STS3  and  every  Lg- 
formula  tp,  the  symbolic  semi- algorithm  ModelCheck  terminates  on  the  region 
algebra  TZs  and  the  input  formula  tp. 

Corollary  3B  The  Lg  and  Lg  model-checking  problems  are  decidable  for  the 
class  STS3  of  symbolic  transition  systems. 

Remark:  Ltl  model  checking  These  results  suggest,  in  particular,  a  symbolic 
procedure  for  model  checking  Ltl  properties  over  STS3  systems  [HM99].  Suppose 
that  S  is  a  symbolic  transition  system  in  the  class  STS3,  and  tp  is  an  Ltl  formula. 
First,  convert  -up  to  a  Biichi  automaton  B _,v  using  a  tableau  construction,  and 
then  to  an  equivalent  Lg -formula  tp  (introduce  one  variable  per  state  of  LL,^). 
Second,  run  the  symbolic  semi-algorithm  ModelCheck  on  inputs  TZs  and  tp.  It 
will  terminate  with  a  representation  of  the  complement  of  the  set  of  states  that 
satisfy  tp  in  S.  □ 
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Fig.  5.  Distance  equivalence  is  coarser  than  trace  equivalence 


3.4  Example:  Rectangular  Hybrid  Automata 

For  every  rectangular  automaton,  the  (time- abstract)  trace-equivalence  relation 
has  finite  index  [HKPV98].  It  follows  that  the  symbolic  semi-algorithm  Mod- 
elCheck,  as  implemented  in  HyTech,  decides  all  Lg  and  Lg  model-checking 
questions  for  rectangular  automata.  The  rectangular  automata  form  a  maximal 
class  of  hybrid  automata  in  STS3.  This  is  because  for  simple  generalizations  of 
rectangular  automata,  the  reachability  problem  is  undecidable  [HKPV98]. 

Theorem  3C  The  rectangular  automata  belong  to  the  class  STS3. 

4  Class-4  Symbolic  Transition  Systems 

We  define  two  states  of  a  transition  system  to  be  “distance  equivalent”  if  for  every 
distance  d,  the  same  observables  can  be  reached  in  d  transitions.  Class-4  systems 
are  characterized  by  finite  distance-equivalence  quotients.  The  region  algebra  of 
a  class-4  system  has  a  finite  subalgebra  that  contains  the  observables  and  is 
closed  under  Pre  operations.  This  enables  the  model  checking  of  all  existential 
conjunction-free  and  universal  disjunction-free  /i-calculus  properties,  such  as  the 
property  that  an  observable  can  be  reached  in  an  even  number  of  transitions. 


4.1  Finite  Characterization:  Equi-distant  Targets 

Definition:  Distance  equivalence  Let  S  be  a  transition  system.  Two  states 
s  and  t  of  S  are  distance  equivalent,  denoted  s  =f  t,  if  for  every  source-s  trace 
of  S  with  length  n  and  target  p,  there  is  a  source-f  trace  of  S  with  length  n  and 
target  p,  and  vice  versa.  The  state  equivalence  =4  is  called  distance  equivalence. 

□ 

Definition:  Class  STS4  A  symbolic  transition  system  S  belongs  to  the  class 
STS4  if  the  distance-equivalence  relation  =f  has  finite  index.  □ 

Figure  5  shows  that  distance  equivalence  is  coarser  than  trace  equivalence  (.s  and 
t  are  distance  equivalent  but  not  trace  equivalent).  It  follows  that  the  class  STS4 
of  symbolic  transition  systems  is  a  proper  extension  of  STS3. 
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Symbolic  semi-algorithm  Closure4 

Input:  a  region  algebra  7 Z  =  (P,  Pre ,  ■,  Diff ,  Empty). 

T0  :=  P; 

for  i  =  0, 1, 2, . . .  do 

T,;+i  :=  T; 

U  {Pre (a)  |  a  £  Ti} 

until  rTi+r  C  rTP. 

The  termination  test  rF/_|_in  C  rT.p  is  decided  as  in  Figure  1. 


Fig.  6.  Predecessor  iteration 


4.2  Symbolic  State-space  Exploration:  Predecessor  Iteration 

The  symbolic  semi- algorithm  Closure4  of  Figure  6  computes  the  subalgebra  of 
a  region  algebra  TZs  that  contains  the  observables  and  is  closed  under  the  Pre 
operation.  Suppose  that  the  input  given  to  Closure4  is  the  region  algebra  of  a 
symbolic  transition  system  S  =  (Q ,  S,  R,r  •~l ,  P).  For  i  >  0  and  s,t  £  Q,  define 
s  ~f  t  if  for  every  source-s  trace  of  S  with  length  n  <  i  and  target  p,  there  is  a 
source-t  trace  of  S  with  length  n  and  target  p ,  and  vice  versa.  By  induction  it  is 
easy  to  check  that  for  all  i  >  0,  the  extension  of  every  region  in  Tt,  as  computed 
by  Closure4,  is  a  ~f  block.  Since  ~f  is  as  coarse  as  ~f)_1  for  all  i  >  0,  and  =f  is 
equal  to  fl{~f  I  *  >  0} ,  if  =f  has  finite  index,  then  =f  is  equal  to  ~f  for  some 
i  >  0.  Then,  Closure2  will  terminate  in  i  iterations.  Conversely,  suppose  that 
Closure4  terminates  with  rTi+r  c  rTi~'.  In  this  case,  if  for  all  regions  a  £  T,;,  we 
have  s  £  ran  iff  t  £  ran,  then  s  =f  t.  This  is  because  if  .s  can  reach  an  observable 
p  in  n  transitions,  but  t  cannot,  then  there  is  a  region  in  T,,  namely,  Pren(p ), 
such  that  s  £  rPren(p)n  and  t  0  rPren(p)~'.  It  follows  that  =f  has  finite  index. 

Theorem  4A  For  all  symbolic  transition  systems  S,  the  symbolic  semi- algorithm 
Closure4  terminates  on  the  region  algebra  TZs  iff  S  belongs  to  the  class  STS4. 

Corollary  4 A  The  =4  (distance)  equivalence  problem  is  decidable  for  the  class 
STS4  of  symbolic  transition  systems. 


4.3  Decidable  Properties:  Conjunction-free  Linear  Time 

Definition:  Conjunction- free  //-calculus  The  conjunction-free  p-calculus  con¬ 
sists  of  the  //-calculus  formulas  that  are  generated  by  the  grammar 

<P  ■■=  P  I  x  |  ip\/  ip  |  30  P  |  (px:  p) 

for  constants  p  £  II  and  variables  x  £  X.  The  state  logic  Lf  consists  of  the 
closed  formulas  of  the  conjunction-free  //-calculus.  The  state  logic  Lf  consists  of 
the  duals  of  all  L^-formulas.  □ 
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Definition:  Conjunction- free  temporal  logic  The  formulas  of  the  conjunction- 
free  temporal  logic  Lf  are  generated  by  the  grammar 

<P  ■■=  P  I  <P  V  if  |  30  <P  I  |  30 ip, 

for  constants  p  G  II  and  nonnegative  integers  d.  Let  S  =  (Q,S,-,r-~',P)  be  a 
transition  system  whose  observables  include  all  constants;  that  is,  II  C  P.  The 
Lf -formula  tp  defines  the  set  p]s  C  Q  of  satisfying  states: 

Ms  =  rpn; 

{pi  v  <p2]s  =  [vi]s  u  p2p; 

PO  <Pp  =  {*’  G  Q  I  (3 1  G  6(a) :  t  G  |<p]«s)}; 

[30<<j</jp  =  {.s  G  Q  |  there  is  a  source-.s  trace  of  S  with 

length  at  most  d  and  sink  in  pp}; 

[3<pp  =  {s  G  Q  |  there  is  a  source-.s  trace  of  S  with  sink  in  pp}. 

(The  constructor  30<d  is  definable  from  3Q  and  V;  however,  it  will  be  essential 
in  the  3Q-free  fragment  of  L%  we  will  consider  below.)  □ 

Remark:  Duality  For  every  Lf -formula  ip,  the  dual  formula  Tp  is  obtained  by 
replacing  the  constructors  p,  V,  3Q,  30<d,  and  30  by  p,  A,  VO,  Vn<d,  and  Vn, 
respectively.  The  semantics  of  the  dual  constructors  is  defined  as  usual,  such  that 
[Op  =  Q\pLs-  The  state  logic  ~Lf  consists  of  the  duals  of  all  Lf  -formulas.  It 
follows  that  the  answer  of  the  model-checking  question  for  a  state  s  G  Q  and  an 
L^-formula  Tp  is  complementary  to  the  answer  of  the  model-checking  question 
for  s  and  the  if -formula  p.  □ 

The  following  facts  about  the  conjunction-free  /x-calculus,  conjunction-free  tem¬ 
poral  logic,  and  their  duals  are  relevant  in  our  context.  First,  both  Lf  and 
If  admit  abstraction,  and  the  state  equivalence  induced  by  both  If  and  If 
is  =4  (distance  equivalence).  It  follows  that  the  logic  Lf  with  restricted  conjunc¬ 
tion  is  more  expressive  than  Lf,  and  Lf  is  more  expressive  than  Lf.  Second, 
the  conjunction-free  //-calculus  Lf  is  more  expressive  than  the  conjunction-free 
temporal  logic  Lf ,  and  Lf  is  more  expressive  than  Tf,  both  of  which  also  in¬ 
duce  distance  equivalence.  For  example,  the  property  that  an  observable  can  be 
reached  in  an  even  number  of  transitions  can  be  expressed  in  Lf  but  not  in  Lf. 

If  we  apply  the  symbolic  semi-algorithm  ModelCheck  of  Figure  2  to  the  region 
algebra  of  a  symbolic  transition  system  S  and  an  input  formula  from  Lf,  then 
all  regions  which  are  generated  by  ModelCheck  are  also  generated  by  the  semi- 
algorithm  Closure4  on  input  Ps ■  Thus,  if  Closure4  terminates,  then  so  does  Mod¬ 
elCheck. 

Theorem  4B  For  all  symbolic  transition  systems  S  in  STS4  and  every  Lf- 
formula  tp,  the  symbolic  semi-algorithm  ModelCheck  terminates  on  the  region 
algebra  IZs  and  the  input  formula  tp. 

Corollary  4B  The  Lf  and  Lf  model- checking  problems  are  decidable  for  the 
class  STS4  of  symbolic  transition  systems. 
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Fig.  7.  Bounded- reach  equivalence  is  coarser  than  distance  equivalence 


5  Class-5  Symbolic  Transition  Systems 

We  define  two  states  of  a  transition  system  to  be  “bounded-reach  equivalent” 
if  for  every  distance  d,  the  same  observables  can  be  reached  in  d  or  fewer  tran¬ 
sitions.  Class-5  systems  are  characterized  by  finite  bounded-reach-equivalence 
quotients.  Equivalently,  for  every  observable  p  there  is  a  finite  bound  nv  such 
that  all  states  that  can  reach  p  can  do  so  in  at  most  nv  transitions.  This  enables 
the  model  checking  of  all  reachability  and  (by  duality)  invariance  properties.  The 
transition  systems  in  class  5  have  also  been  called  “well-structured”  [ACJT96]. 
Infinite-state  examples  of  class-5  systems  are  provided  by  networks  of  rectangular 
hybrid  automata. 

5.1  Finite  Characterization:  Bounded-distance  Targets 

Definition:  Bounded-reach  equivalence  Let  S  be  a  transition  system.  Two 
states  s  and  t  of  S  are  bounded-reach  equivalent,  denoted  s  =f  t,  if  for  every 
source- .s  trace  of  S  with  length  n  and  target  p,  there  is  a  source-t  trace  of  S  with 
length  at  most  n  and  target  p,  and  vice  versa.  The  state  equivalence  =5  is  called 
bounded-reach  equivalence.  □ 

Definition:  Class  STS5  A  symbolic  transition  system  S  belongs  to  the  class 
STS5  if  the  bounded-reach-equivalence  relation  has  finite  index.  □ 

Figure  7  shows  that  bounded-reach  equivalence  is  coarser  than  distance  equiva¬ 
lence  (all  states  s*,  for  i  >  0,  are  bounded-reach  equivalent,  but  no  two  of  them 
are  distance  equivalent).  It  follows  that  the  class  STS5  of  symbolic  transition 
systems  is  a  proper  extension  of  STS4. 

5.2  Symbolic  State-space  Exploration:  Predecessor  Aggregation 

The  symbolic  semi-algorithm  Reach  of  Figure  8  starts  from  the  observables  and 
repeatedly  applies  the  Pre  operation,  but  its  termination  criterion  is  more  eas¬ 
ily  met  than  the  termination  criterion  of  the  semi-algorithm  Closure4;  that  is, 
Reach  may  terminate  on  more  inputs  than  Closure4.  Indeed,  we  shall  show 
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Symbolic  semi-algorithm  Reach 

Input:  a  region  algebra  7 Z  =  (P,  Pre ,  And ,  Dijf,  Em.pty). 

for  each  p  £  P  do 

To  :=  M; 

for  i  =  0,1,2,...  do 

Ti+ 1  :=  Ti  U  {Pfe(er)  ff  £  T;} 

until  |J{r^n  I  <x  £  Ti+l}  C  U{r<^n  keT;} 

end. 

The  termination  test  (J{r<Tn  |  <r  £  Ti+i}  C  (J{r<Tn  I  a  £  T*}  is  decided  as  in 
Figure  2. 


Fig.  8.  Predecessor  aggregation 


that,  when  the  input  is  the  region  algebra  of  a  symbolic  transition  system 
S  =  (Q,  S,  R,  r-n,  P),  then  Reach  terminates  iff  S  belongs  to  the  class  STS5. 
Furthermore,  upon  termination,  s  =f  7  iff  for  each  observation  p  £  P  and  each 
region  a  £  Tf ,  we  have  s  £  ran  iff  7  £  r<r~1. 

An  alternative  characterization  of  the  class  STS5  can  be  given  using  well-quasi- 
orders  on  states  [ACJT96,FS98].  A  quasi-order  on  a  set  A  is  a  reflexive  and 
transitive  binary  relation  on  A.  A  well- quasi- order  on  A  is  a  quasi-order  A  on  A 
such  that  for  every  infinite  sequence  ao,ai,ao, ...  of  elements  a,  £  A  there  exist 
indices  i  and  j  with  i  <  j  and  a.,;  X  aj.  A  set  B  C  A  is  upward-closed  if  for  all 
b  £  B  and  a  £  A,  if  b  X  a,  then  a  £  B.  It  can  be  shown  that  if  A  is  a  well- 
quasi-order  on  A,  then  every  infinite  increasing  sequence  B0  C  B\  C  B-2  C  •  •  • 
of  upward-closed  sets  B-,  C  A  eventually  stabilizes;  that  is,  there  exists  an  index 
i  >  0  such  that  Bj  =  Bt  for  all  j  >  i. 

Theorem  5A.  For  all  symbolic  transition  systems  S,  the  following  three  condi¬ 
tions  are  equivalent: 

1.  S  belongs  to  the  class  STS5. 

2.  The  symbolic  semi-algorithm  Reach  terminates  on  the  region  alge¬ 
bra  TZs  • 

3.  There  is  a  well- quasi- order  X  on  the  states  of  S  such  that  for  all 
observations  p  and  all  nonnegative  integers  d,  the  set  [30<^p]5  is 
upward-closed. 

Proof  (2  =>-  1)  Define  s  ~<ra  t  if  for  all  observations  p,  for  every  source-*’  trace 
with  length  n  and  target  p,  there  is  a  source-f  trace  with  length  at  most  n 
and  target  p,  and  vice  versa.  Note  that  has  finite  index  for  all  n  >  0. 
Suppose  that  the  semi-algorithm  Reach  terminates  in  at  most  i  iterations  for 
each  observation  p.  Then  for  all  n  >  i,  the  equivalence  relation  ~^n  is  equal  to 
Since  =f  is  equal  to  f]{~<nl  n  —  0}:  it  has  finite  index. 

(1  =>-  3)  Define  the  quasi-order  .s  t  if  for  all  observables  p  and  all  n  >  0,  for 
every  source-*  trace  with  length  n  and  target  p,  there  is  a  source-7  trace  with 
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length  at  most  n  and  target  p.  Then  each  set  [30<c;p]ls,  for  an  observable  p  and 
a  nonnegative  integer  d ,  is  upward-closed  with  respect  to  .  Furthermore,  if 
=f  has  finite  index,  then  is  a  well-quasi-order.  This  is  because  s  =f  t  implies 
s  t:  if  there  were  an  infinite  sequence  So,  si ,  S2,  ■  ■  ■  of  states  such  that  for  all 
i  >  0  and  j  <  i.  we  have  Sj  s*,  then  no  two  of  these  states  would  be  =f 
equivalent. 

(3  =>-  2)  This  part  of  the  proof  follows  immediately  from  the  stabilization  prop¬ 
erty  of  well-quasi-orders  [ACJT96].  □ 


5.3  Decidable  Properties:  Bounded  Reachability 

Definition:  Bounded-reachability  logic  The  bounded-reachability  logic 
consists  of  the  Lf  -formulas  that  are  generated  by  the  grammar 

<P  ■■=  P  I  V>  V  p  I  30<d  t p  I  30ip, 

for  constants  p  G  II  and  nonnegative  integers  d.  The  state  logic  Tf  consists  of 
the  duals  of  all  L^-formulas.  □ 

The  following  facts  about  bounded-reachability  logic  and  its  dual  are  relevant  in 
our  context.  Both  and  ~Lj  admit  abstraction,  and  the  state  equivalence  in¬ 
duced  by  both  and  ~Lf  is  =5  (bounded-reach  equivalence).  It  follows  that  the 
conjunction-free  temporal  logic  Lf  is  more  expressive  than  L|j  and  ~Lf  is  more 
expressive  than  ~Lf.  For  example,  the  property  that  an  observable  can  be  reached 
in  exactly  d  transitions  can  be  expressed  in  L%  but  not  in  .  Since  admits 
abstraction,  and  for  STS5  systems  the  induced  quotient  can  be  constructed  using 
the  symbolic  semi-algorithm  Reach,  we  have  the  following  theorem. 

Theorem  5B  The  and  ~Lf  model- checking  problems  are  decidable  for  the 
class  STS5  of  symbolic  transition  systems. 

A  direct  symbolic  model-checking  semi-algorithm  for  and,  indeed,  L±  is  easily 
derived  from  the  semi-algorithm  Reach.  Then,  if  Reach  terminates,  so  does  model 
checking  for  all  Lf  -formulas,  including  unbounded  30  properties.  The  extension 
to  L4  is  possible,  because  3Q  properties  pose  no  threat  to  termination. 

5.4  Example:  Networks  of  Rectangular  Hybrid  Automata 

A  network  of  timed  automata  [AJ98]  consists  of  a  finite  state  controller  and  an 
arbitrarily  large  set  of  identical  ID  timed  automata.  The  continuous  evolution 
of  the  system  increases  the  values  of  all  variables.  The  discrete  transitions  of  the 
system  are  specified  by  a  set  of  synchronization  rules.  We  generalize  the  definition 
to  rectangular  automata.  Formally,  a  network  of  rectangular  automata  is  a  triple 
( C,H,R ),  where  C  is  a  finite  set  of  controller  locations,  if  is  a  ID  rectangular 
automaton,  and  R  is  a  finite  set  of  rules  of  the  form  r  =  ({c,  c'),e  i,...,en), 
where  c,  c1  £  C  and  e\,...,en  are  jumps  of  if.  The  rule  r  is  enabled  if  the 


20 


So  Si 


- (£> 


Fig.  9.  Reach  equivalence  is  coarser  than  bounded-reach  equivalence 


controller  state  is  c  and  there  are  n  rectangular  automata  H\ .. . . .  Hn  whose 
states  are  such  that  the  jumps  e\, . . ,  ,en,  respectively,  can  be  performed.  The 
rule  r  is  executed  by  simultaneously  changing  the  controller  state  to  c!  and  the 
state  of  each  Hi,  for  1  <  i  <  n,  according  to  the  jump  e,.  The  following  result  is 
proved  in  [AJ98]  for  networks  of  timed  automata.  The  proof  can  be  extended  to 
rectangular  automata  using  the  observation  that  every  rectangular  automaton 
is  simulated  by  an  appropriate  timed  automaton  [HKPV98]. 

Theorem  5C  The  networks  of  rectangular  automata  belong  to  the  class  STS5. 
There  is  a  network  of  tuned  automata  that  does  not  belong  to  STS4. 


6  General  Symbolic  Transition  Systems 

For  studying  reachability  questions  on  symbolic  transition  systems,  it  is  natural 
to  consider  the  following  fragment  of  bounded-reachability  logic. 

Definition:  Reachability  logic  The  reachability  logic  Lff  consists  of  the  Lf- 
formulas  that  are  generated  by  the  grammar 

<P  ■■=  \  30y>, 


for  constants  p  €  II.  □ 

The  reachability  logic  Tj?  is  less  expressive  than  the  bounded-reachability  logic  Lf , 
because  it  induces  the  following  state  equivalence,  =g,  which  is  coarser  than 
bounded-reach  equivalence  (see  Figure  9:  all  states  s,,  for  i  >  0,  are  reach  equiv¬ 
alent,  but  no  two  of  them  are  bounded-reach-equivalent). 

Definition:  Reach  equivalence  Let  S  be  a  transition  system.  Two  states  s 
and  t  of  S  are  reach  equivalent ,  denoted  s  =f  t,  if  for  every  source-s  trace  of  S 
with  target  p,  there  is  a  source-t  trace  of  S  with  target  p.  and  vice  versa.  The 
state  equivalence  =@  is  called  reach  equivalence.  □ 

For  every  symbolic  transition  system  TZ.  with  k  observables,  the  reach-equivalence 
relation  =)?'  has  at  most  2k  equivalence  classes  and,  therefore,  finite  index.  Since 
the  reachability  problem  is  undecidable  for  many  kinds  of  symbolic  transition  sys¬ 
tems  (including  Turing  machines  and  polyhedral  hybrid  automata  [ACH+95]), 
it  follows  that  there  cannot  be  a  general  algorithm  for  computing  the  reach- 
equivalence  quotient  of  symbolic  transition  systems. 
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